Add Express 4.16.0 changelog

_data/express.yml

@@ -1 +1 @@
-current_version: "4.15.5"
+current_version: "4.16.0"

_includes/announcement/announcement-en.md

@@ -1,8 +1,8 @@
 <ul>
   <li>
-    <p class="announcement-title">Express 4.15.5 contains important security updates.</p>
+    <p class="announcement-title">Express 4.16.0 contains important security updates.</p>
     <p markdown="1">
-     For more information on what was added in this release, see the [4.15.5 changelog](/{{ page.lang }}/changelog/4x.html#4.15.5).
+     For more information on what was added in this release, see the [4.16.0 changelog](/{{ page.lang }}/changelog/4x.html#4.16.0).
     </p>
   </li>
 </ul>

_includes/announcement/announcement-tr.md

@@ -1,8 +1,8 @@
 <ul>
   <li>
-    <p class="announcement-title">Express 4.15.5 mevcut sürümdür.</p>
+    <p class="announcement-title">Express 4.16.0 mevcut sürümdür.</p>
     <p markdown="1">
-	Bu sürümde nelerin eklendiği hakkında daha fazla bilgi almak için [4.15.5 changelog](/{{ page.lang }}/changelog/4x.html#4.15.5).
+	Bu sürümde nelerin eklendiği hakkında daha fazla bilgi almak için [4.16.0 changelog](/{{ page.lang }}/changelog/4x.html#4.16.0).
     </p>
   </li>
 </ul>

_includes/announcement/announcement-uz.md

@@ -1,8 +1,8 @@
 <ul>
   <li>
-    <p class="announcement-title">Express 4.15.5 reliz qilindi</p>
+    <p class="announcement-title">Express 4.16.0 reliz qilindi</p>
     <p markdown="1">
-    Express 4.15.5 da ko'plab xatolar to'g'irlandi, xavfsizlikni ta'minlash uchun o'zgarishlar kiritildi, ishlash unumdorligi oshirildi va boshqa yangi imkoniyatlar qo'shildi. To'liq ma'lumot uchun [4.15.5 changelog](/en/changelog/4x.html#4.15.5).
+    Express 4.16.0 da ko'plab xatolar to'g'irlandi, xavfsizlikni ta'minlash uchun o'zgarishlar kiritildi, ishlash unumdorligi oshirildi va boshqa yangi imkoniyatlar qo'shildi. To'liq ma'lumot uchun [4.16.0 changelog](/en/changelog/4x.html#4.16.0).
     </p>
   </li>
 </ul>

en/advanced/security-updates.md

@@ -18,10 +18,13 @@ The list below enumerates the Express vulnerabilities that were fixed in the spe
 
 ## 4.x
 
+  * 4.16.0
+    * The dependency `forwarded` has been updated to address a [vulnerability](https://nodesecurity.io/advisories/527). This may affect your application if the following APIs are used: `req.host`, `req.hostname`, `req.ip`, `req.ips`, `req.protocol`.
+    * The dependency `mime` has been updated to address a [vulnerability](https://nodesecurity.io/advisories/535), but this issue does not impact Express.
+    * The dependency `send` has been updated to provide a protection against a [Node.js 8.5.0 vulnerability](https://nodejs.org/en/blog/vulnerability/september-2017-path-validation/). This only impacts running Express on the specific Node.js version 8.5.0.
   * 4.15.5
     * The dependency `debug` has been updated to address a [vulnerability](https://snyk.io/vuln/npm:debug:20170905), but this issue does not impact Express.
     * The dependency `fresh` has been updated to address a [vulnerability](https://nodesecurity.io/advisories/526). This will affect your application if the following APIs are used: `express.static`, `req.fresh`, `res.json`, `res.jsonp`, `res.send`, `res.sendfile` `res.sendFile`, `res.sendStatus`.
-    * The dependency `forwarded` has been updated to address a [vulnerability](https://nodesecurity.io/advisories/527). This may affect your application if the following APIs are used: `req.host`, `req.hostname`, `req.ip`, `req.ips`, `req.protocol`.
   * 4.15.3
     * The dependency `ms` has been updated to address a [vulnerability](https://snyk.io/vuln/npm:ms:20170412). This may affect your application if untrusted string input is passed to the `maxAge` option in the following APIs: `express.static`, `res.sendfile`, and `res.sendFile`.
   * 4.15.2

en/changelog/4x.md

@@ -7,6 +7,47 @@ lang: en
 
 # Release Change Log
 
+## 4.16.0 - Release date: 2017-09-28
+{: id="4.16.0"}
+
+The 4.16.0 minor release includes security updates, bug fixes, performance enhancements, and some new features, including:
+
+<ul>
+  <li markdown="1" class="changelog-item">
+  Update to [jshttp/forwarded module](https://www.npmjs.com/package/forwarded) to address a [vulnerability](https://nodesecurity.io/advisories/527). This may affect your application if the following APIs are used: `req.host`, `req.hostname`, `req.ip`, `req.ips`, `req.protocol`.
+  </li>
+
+  <li markdown="1" class="changelog-item">
+  Update a dependency of the [pillarjs/send module](https://www.npmjs.com/package/send) to address a [vulnerability](https://nodesecurity.io/advisories/535) in the `mime` dependency. This may affect your application if untrusted string input is passed to the following APIs: `res.type()`.
+  </li>
+
+  <li markdown="1" class="changelog-item">
+  The [pillarjs/send module](https://www.npmjs.com/package/send) has implemented a protection against the Node.js 8.5.0 [vulnerability](https://nodejs.org/en/blog/vulnerability/september-2017-path-validation/). Using any prior version of Express.js with Node.js 8.5.0 (that specific Node.js version) will make the following APIs vulnerable: `express.static`, `res.sendfile`, and `res.sendFile`.
+  </li>
+
+  <li markdown="1" class="changelog-item">
+  Starting with this version, Express supports Node.js 8.x.
+  </li>
+
+  <li markdown="1" class="changelog-item">
+  The new setting `"json escape"` can be enabled to escape characters in `res.json()`, `res.jsonp()` and `res.send()` responses that can trigger clients to sniff the response as HTML instead of honoring the `Content-Type`. This can help protect an Express app from a class of persistent XSS-based attacks.
+  </li>
+
+  <li markdown="1" class="changelog-item">
+  The `express.json()` and `express.urlencoded()` middleware have been added to provide request body parsing support out-of-the-box. This uses the [expressjs/body-parser module](https://www.npmjs.com/package/body-parser) module underneath, so apps that are currently requiring the module separately can switch to the built-in parsers.
+  </li>
+
+  <li markdown="1" class="changelog-item">
+  The [`express.static()` middleware](/{{ page.lang }}/4x/api.html#express.static) and [`res.sendFile()` method](/{{ page.lang }}/4x/api.html#res.sendFile) now support setting the `immutable` directive on the `Cache-Control` header. Setting this header with an appropriate `maxAge` will prevent supporting web browsers from sending any request to the server when the file is still in their cache.
+  </li>
+
+  <li markdown="1" class="changelog-item">
+  The [pillarjs/send module](https://www.npmjs.com/package/send) has an updated list of MIME types to better set the `Content-Type` of more files. There are 70 new types for file extensions.
+  </li>
+</ul>
+
+For a complete list of changes in this release, see [History.md](https://github.com/expressjs/express/blob/master/History.md#4160--2017-09-28).
+
 ## 4.15.5 - Release date: 2017-09-24
 {: id="4.15.5"}
 
@@ -17,10 +58,6 @@ The 4.15.5 patch release includes security updates, some minor performance enhan
   Update to [debug module](https://www.npmjs.com/package/debug) to address a [vulnerability](https://snyk.io/vuln/npm:debug:20170905), but this issue does not impact Express.
   </li>
 
-  <li markdown="1" class="changelog-item">
-  Update to [jshttp/forwarded module](https://www.npmjs.com/package/forwarded) to address a [vulnerability](https://nodesecurity.io/advisories/527). This may affect your application if the following APIs are used: `req.host`, `req.hostname`, `req.ip`, `req.ips`, `req.protocol`.
-  </li>
-
   <li markdown="1" class="changelog-item">
   Update to [jshttp/fresh module](https://www.npmjs.com/package/fresh) to address a [vulnerability](https://nodesecurity.io/advisories/526). This will affect your application if the following APIs are used: `express.static`, `req.fresh`, `res.json`, `res.jsonp`, `res.send`, `res.sendfile` `res.sendFile`, `res.sendStatus`.
   </li>